China will Tighten Cybersecurity in Securities and Futures Industry
The CSRC published its provisional measures on safeguarding information security as early as 2005, which were later replaced by the current version in force in 2012. At that time, there were very few laws or regulations in China. on cybersecurity or data protection.
Since 2016, a number of important applicable laws and regulations have been enacted, and the current CSRC measures on information security have become obsolete. In particular, the Cybersecurity Act (Cybersecurity Act) (“CSL“), el Data security law (Data Security Act) (“DSL“), el Personal data protection law (“Personal Data Protection Act”) (“PIPL”) (For our comments on the PIPL, click here) have shaped the landscape of the Chinese regulatory framework for cybersecurity and data protection. In light of regulatory development, the CSRC published the draft measures.
KEY PROVISIONS AND OBSERVATIONS
I. That are subject to Draft Measures
The draft measures apply to the following three types of entities:
- Basic institutions, which refer to institutions that perform public functions or operate information infrastructures in the stock and futures market, such as securities and futures exchange houses, securities depository and clearing institutions, and securities monitoring agencies. safe margin margin deposits;
- Operating institutions, referring to securities and futures trading institutions, such as securities companies, futures companies and fund management companies; i
- Information technology (IT) service institutions, referred to as institutions that provide products or services for the development, testing, integration, evaluation, maintenance, and day-to-day management of security for important securities and future business information systems.
While core institutions and operational institutions are the focus of the draft measures, relevant information technology providers should also pay attention to the measures that apply to them.
II. Cybersecurity measures
Basic institutions and operational institutions are required to implement a number of measures to ensure the security of the network system. Key measures include:
- establish a sound cybersecurity management system consisting of the governance, decision-making, management, enforcement and oversight of information technology;
- make the head of the institution (usually the legal representative) the main person responsible for cybersecurity and the person in charge of technology the person directly responsible for cybersecurity;
- ensure an adequate number of qualified staff and adequate funding for business activities;
- ensure adequate performance, capacity, reliability, scalability and security of the information system and infrastructure;
- implementing the multilevel cybersecurity protection scheme (“MLPS”), Which is the central regime for protecting cybersecurity under the CSL and reporting implementation details to the CSRC;
- take precautionary measures before setting up, altering or dismantling important information systems;
- notify investors of the impact and alternatives and other response measures before suspending or canceling any online service;
- establish a sound early warning system;
- establish a backup of data and error and disaster recovery facilities;
- conduct a pressure test on important information systems at least every six months and also participate in the industry-wide pressure test organized by the CSRC;
- strengthen its management of the supply of information products and services;
- continue to improve controllable and autonomously developed technologies; i
- take effective measures to protect the intellectual property of the institutions.
IT service institutions should also establish a cybersecurity management system and submit a presentation to the CSRC if they provide products and services to core and operational institutions.
III. Data security measures
The draft measures also set out data security measures for core and operating institutions, such as:
- establish and refine data security management systems and organizational structure;
- the formulation of industrial data standards and the implementation of management by multilevel data categories;
- formulate a data access authorization strategy; i
- establish a framework for evaluating data quality.
The requirements set out in the draft measures on the processing of important data, basic data and personal information generally reflect those of DSL and PIPL. In particular, the information system that processes important data must meet the protection requirements of level three or higher according to the MLPS, which is also consistent with the requirement for the draft Regulation on the Administration of Network Data Security (“Network data security management policy (draft for comments)”).
The CSRC may also designate certain institutions to establish data centers for strategic backups in the securities and futures industries, which will provide centralized data backups. Basic institutions and operating institutions must submit data to these data centers. Although not specified, this data may include important data, basic data, and personal information.
IV. Response to cybersecurity incidents
The draft measures place great emphasis on incident response, including the imposition of obligations on core institutions and operational institutions to:
- establish a cybersecurity risk monitoring and early warning system;
- prepare cybersecurity incident response plans;
- conduct cybersecurity response drills at least once a year;
- establish a cybersecurity incident response mechanism and report the incident to the CSRC;
- initiate an internal investigation after the incident and collaborate with the CSRC for the investigation; i
- publish any alternative measures or other response measures that may be taken by the parties involved.
CSRC may also require core institutions and the operating institution to notify investors if the incident is detrimental to the interests of investors.
V. Cybersecurity of critical information infrastructure
The concept of critical information infrastructure (“CII”) Was first introduced into law by the CSL in 2016. The central government published the Regulation for the protection of the security of critical information infrastructures (“Critical Information Infrastructure Security Protection Standards”) (“CII Regulation”) In 2021 to implement the IIC protection regime (for our comments on the regulation, click here).
The IIC is essentially a selected group of networks or information systems that are considered to be of particular importance in key sectors or sectors that, among others, include the financial sector. In accordance with the IIC Regulation, the sectoral regulators will formulate rules for the identification of the IIC, the identification of the IIC and the notification to the IIC operators. As of the date of this article, we have not seen any public report that a sector regulator has formulated the identification rules or identified any IIC.
The CSRC designates a cybersecurity chapter of the IIC. While most of the requirements are consistent with those of the IIC Regulation, the draft measures also require IIC operators in the securities and futures sector to:
- establish a designated cybersecurity leadership group or department that has appropriate staff with cybersecurity specialists;
- carry out an expert evaluation before altering or suppressing any IIC operation, which may affect the stable functioning of the market;
- ensure adequate system performance and network capacity; i
- establish disaster recovery centers in one place and in several places.
VI. Legal liability
The draft measures authorize the CSRC to issue sanctions for infringements in accordance with the CSL, DSL and PIPL. When infringements also pose problems with corporate governance, internal control, or business continuity principles, the CSRC may also impose sanctions in accordance with applicable securities and futures laws and regulations.
In addition, the CSRC may take disciplinary action against the offending institutions and the personnel responsible for the offense.
In particular, the CSRC has the power to require institutions to provide information and data relevant to cybersecurity management, and institutions must cooperate. Core institutions and operational institutions must prepare an annual cybersecurity management report and submit it to the CSRC by April 30 of each year.
The draft measures are the CSRC’s reaction to the tightening of cybersecurity and data protection requirements in the regulatory framework established by the CSL, DSL and PIPL. The CSRC joins colleagues in financial regulators to implement these requirements in the financial sector.
Securities and futures industry financial institutions, as well as their IT providers, should be up to date with development and be prepared for the new requirements that will be implemented in the near future.